[strongSwan] ANNOUNCE: strongswan-5.1.0rc1 released
Andreas Steffen
andreas.steffen at strongswan.org
Mon Jul 22 09:45:47 CEST 2013
Hi,
we are proud to present a lot of new features in our latest 5.1.0
release candidate:
* Easy-to-Use "charon-cmd" Command-Line IKE Client
------------------------------------------------
- The new charon-cmd command line IKE client can establish road
warrior connections using IKEv1 or IKEv2 with different
authentication profiles. It does not depend on any configuration
files (no ipsec.conf nor ipsec.secrets but may use strongswan.conf
options) and can be configured using a few simple command line
options. More information is available via the man page
man charon-cmd
* Support of PKCs#12 Private Key/Certificate Container Format
-----------------------------------------------------------
- Extraction of certificates and private keys from PKCS#12 files is
now provided by the new pkcs12 plugin
http://www.strongswan.org/uml/testresults5rc/ikev2/net2net-pkcs12/
or the openssl plugin
http://www.strongswan.org/uml/testresults5rc/openssl-ikev2/net2net-pkcs12/
- charon-cmd (--p12) as well as charon (via P12 token in
ipsec.secrets) can make use of this new functionality.
* Support of ssh-agent and other Public Key Formats
-------------------------------------------------
- The sshkey plugin parses SSH public keys, which, together with the
--agent option for charon-cmd, allows the use of ssh-agent for
authentication.
- To configure SSH keys in ipsec.conf the left|rightrsasigkey options
are replaced with left|rightsigkey, which now take public keys in
one of three formats:
* SSH (RFC 4253, ssh: prefix)
* DNSKEY (RFC 3110, dns: prefix)
http://www.strongswan.org/uml/testresults5rc/ikev2/rw-dnssec/carol.ipsec.conf
* PKCS#1 (the default, no prefix).
http://www.strongswan.org/uml/testresults5rc/ikev2/rw-dnssec/moon.ipsec.conf
* Trusted Network Connect (TNC) Policy Manager Interface
------------------------------------------------------
- Using a SQL database interface, a TNC Policy Manager can generate
specific measurement workitems for an arbitrary number of
Integrity Measurement Verifiers (IMVs), based on the history of the
individual VPN users and/or client devices.
http://www.strongswan.org/uml/testresults5rc/tnc/tnccs-20-os/
http://www.strongswan.org/uml/testresults5rc/tnc/tnccs-20-pts/
- We are currently working on the documentation and some demo examples
for the new Python/Django-based strongTNC Policy Manager Tool
implemented by the HSR students Stefan Rohner and Marco Tanner as
part of their Bachelor Thesis:
https://github.com/strongswan/strongTNC
* IPsec ESP Userland Encryption with libipsec
-------------------------------------------
- The new kernel-libipsec plugin uses TUN devices and libipsec to
provide IPsec processing in userland on Linux, FreeBSD and Mac OS X:
http://www.strongswan.org/uml/testresults5rc/libipsec/net2net-cert/
- At last people get back their cherished ipsec0 interface carrying
plain text traffic whereas eth0 shows the IKE negotiation and
encrypted ESP traffic:
http://www.strongswan.org/uml/testresults5rc/libipsec/net2net-cert/moon.iptables
- libipsec now supports AES-GCM which will be automatically
accelerated if the openssl plugin detect the Intel AES NI
instruction set.
http://www.strongswan.org/uml/testresults5rc/libipsec/rw-suite-b/
- Thus libipsec is ideally suited für Suite B compliance on Mac OS X
where the kernel does not offer EASP AES-GCM support.
* Improvements for Mac OS X and FreeBSD
------------------------------------
- The kernel-pfroute networking backend has been greatly improved.
It now can install virtual IPs on TUN devices on OS X and FreeBSD,
allowing these systems to act as a client in common road warrior
scenarios.
- The new osx-attr plugin installs configuration attributes
(currently DNS servers) via SystemConfiguration on Mac OS X.
The keychain plugin provides certificates from the OS X keychain
service.
* Miscellaneous Improvements
--------------------------
- IKEv2 can now negotiate transport mode and IPComp in NAT situations.
- IKEv2 exchange initiators now properly closes an established IKE or
CHILD_SA on error conditions using an additional exchange, keeping
state in sync between peers.
- The leak-detective developer tool has been greatly improved. It
works much faster and more stable with multiple threads, does not
use deprecated malloc hooks anymore and has been ported to OS X.
- chunk_hash() is now based on SipHash-2-4 with a random key. This
provides better distribution and prevents hash flooding attacks
when used with hashtables.
- All default plugins implement the get_features() method to define
features and their dependencies. The plugin loader has been
improved, so that plugins in a custom load statement can be ordered
freely or to express preferences without being affected by
dependencies between plugin features.
- A centralized thread can take care for watching multiple file
descriptors concurrently. This removes the need for dedicated
listener threads in various plugins. The number of "reserved"
threads for such tasks has been reduced to about five, depending on
the plugin configuration.
- Plugins that can be controlled by a UNIX socket IPC mechanism
gained network transparency. Third party applications querying these
plugins now can use TCP connections from a different host.
* Unit Tests
----------
- Several core classes in libstrongswan are now tested with unit
tests. These can be enabled with --enable-unit-tests and run with
make check
- Coverage reports can be generated with --enable-coverage and
make coverage
make coverage disables any optimization, so it should not be
enabled when building production releases.
Please test our manifold new features and report any issues.
ETA for the stable 5.1.0 release is approximately the end of July.
Best regards
Tobias Brunner, Martin Willi, Andreas Steffen
The strongSwan Team
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130722/f55174e6/attachment.bin>
More information about the Users
mailing list